Mitsubishi Electric MELSEC WS Series

Plan Patch7.5ICS-CERT ICSA-23-138-02May 18, 2023

Attack VectorNetwork

Auth RequiredNone

ComplexityLow

User InteractionNone needed

Summary

The Mitsubishi Electric MELSEC WS0-GETH00200 Ethernet gateway module (serial numbers 2310**** and earlier) contains an authentication bypass vulnerability. An attacker can connect via telnet without valid credentials and reset the module, disclose or modify the module's configuration, or rewrite its firmware.

What this means

What could happen

An attacker with network access to the gateway module could bypass authentication via telnet, allowing them to reconfigure network settings, reset the device, or replace firmware—potentially disrupting communication between the PLC and remote monitoring systems or introducing malicious code into the control network.

Who's at risk

This affects water utilities and electric utilities running Mitsubishi Electric MELSEC control systems that use the WS0-GETH00200 Ethernet gateway module for remote communication or monitoring. The module is commonly deployed as a bridge between legacy PLCs and modern network infrastructure.

How it could be exploited

An attacker connects to the module via telnet on the network. The module accepts the connection without requiring authentication (or with default/blank credentials). The attacker then issues commands to reset the module, access its configuration, or upload new firmware.

Prerequisites

Network access to the WS0-GETH00200 module on the telnet port (typically port 23)
The module must be running a serial number in the vulnerable range (2310**** or earlier)
The telnet service must be enabled on the module

remotely exploitableno authentication requiredlow complexityaffects gateway/network communicationno patch available for older serial numbers

Exploitability

Low exploit probability (EPSS 0.2%)

Affected products (1)

ProductAffected VersionsFix Status

WS0-GETH00200: <= Serial Numbers 2310****≤ Serial Numbers 2310****Serial numbers 2311**** and later

Remediation & Mitigation

0/5

Do now

0/2

WORKAROUNDSet a strong telnet password (up to 15 characters) on the affected module using the telnet client password command to require authentication for telnet sessions

HARDENINGDeploy a firewall rule to block telnet (port 23) access to the WS0-GETH00200 module from untrusted networks and hosts

Schedule — requires maintenance window

0/2

Patching may require device reboot — plan for process interruption

HOTFIXReplace WS0-GETH00200 modules with serial numbers 2310**** or earlier with units carrying serial number 2311**** or later

HARDENINGRestrict the module to operation within a local area network (LAN) only and block external internet access

Long-term hardening

0/1

HARDENINGRestrict physical access to the LAN to prevent untrusted devices from connecting to the network segment containing the gateway module

CVEs (1)

CVE-2023-1618

View full CISA ICS-CERT advisory

↑↓ Navigate · Esc Close

API: /api/v1/advisories/0e9d8c6f-04c2-4ab1-baa2-f7938054b03f